I just mean don't use it as the TO or FROM field, since people may then simply abuse the form to send email TO or FROM an email address of their choice using your page.
I think you could add: \r\n to the list of allowed characters. Those are the line break characters and should be able to be added... you may need to use \\r\\n since backslash is normally and escape character.